Troubleshooting slow DNS lookup

Kalman Feher kalman.feher at melbourneit.com.au
Fri Nov 26 08:38:46 UTC 2010




On 26/11/10 5:58 AM, "Mark Andrews" <marka at isc.org> wrote:

> 
> In message <AANLkTimZMC4PGNe7N72hnB7gnjUaT9r2OKTiGAazv4RP at mail.gmail.com>,
> Rian
> to Wahyudi writes:
>> Hi Mark,
>> 
>> Thanks for the pointers , your are spot on!
>> 
>> Doing dig +trace +dnssec www.paypal.com always fail.
>> After some investigation with the network guys, it appear that our upstream
>> firewall are dropping DNS UDP packet larger than 512.
>> Cisco FWSM have this configuration enabled by default :
>> 
>> http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/i2.htm
>> l#wp1565355
> 
> So the default is "inspect dns maximum-length 512" if I read that
> page correctly.  "inspect dns" or as a minimum "inspect dns
> maximum-length 4096" will allow reply traffic through for named.
> 
> I thought I had heard that Cisco had code which looked for the EDNS
> UDP size option and adjusted the maximum length based on that on a
> per transaction basis and enforced 512 if there wasn't a EDNS option.
Yes, but I think its a recent addition to their code.

The Cisco ASA supports:

message-length maximum client auto

This will use the OPT value as the maximum. I know its supported on version
8.3 of ASA software. It might not be supported by the switch modules of the
OP.

> 
> Mark

-- 
Kal Feher 




More information about the bind-users mailing list